Recently we came across a tweet about a malware, called Luxy, having both stealer and ransomware activities. The stealer is similar to Umbral stealer that tries to collect user password, browser details using Telegram and the ransomware encrypts all the files and leaves a ransomware note having the decryption key.

Fig 1: Die_Output

The sample being analyzed is a 32-bit executable file compiled with .NET(v4.0.30319).

Fig 2: Entry point

Initially, the process being executed consists of three modules viz. BlockAvSites, Stealer and Ransomware. We will look into each module in detail. 

Fig 3: Checking network and VM

The process ensures a mutex is registered for single instance execution control. It proceeds only when it has access to network connection, by trying to access the URL highlighted in Fig 4. 

Fig 4: Checking network is connected from the system
Fig 5: Virtual machine contain sub-modules

Checks if the malware is executing in a VM using multiple factors like System UuID, Computer name, Username, running process, Debugger through various detection methods.

Fig 6: Script for checking System Uuid and Running Process

SystemID process checks for current system UUIDand checks with the blacklisted UUIDlist, if it matches then kills the process. Similarly checks for the currently running process against a list of known monitoring tools in the system using GETPROCESSES windows API and kills if it matches.

Fig 7: List of blacklisted names, users, Uuid, Task

Fig 7 represents the Blacklisted UUID, Blacklisted computer names, Blacklisted Users, Blacklisted tasks to avoid monitoring of the malware. If it matches with the names from the above list, then the malware terminates. Among these blacklisted UUIDs and Blacklisted computer names are popular sandboxes.

Fig 8: Script contains AV list and changing of host file

Here, they are trying to  prevent access to particular websites shown in the image by changing the hosts file, which maps the listed domains to 0.0.0.0. As a result, the content from these websites cannot be loaded.

Fig 9: List of Browsers

Fig 9 lists the browsers whose password and cookie information are stolen.

Fig 10: Script for collecting cookies of the browser

The script in Fig 10 is used to steal cookie’s encryption keys used in Chrome. The GETENCRYPTIONKEY method is used for extracting the encrypted key and decrypting it. Similar method is followed for other browsers also.

Fig 11: Script for collecting password of the browser

Fig 11 shows the script to steal passwords from Chrome.

Fig 12: Script for stealing crypto currency wallet information

It then steals the crypto currency wallet information and stores them in source.txt file. The method tracks the number of files successfully copied.

Fig 13: Script containing for extracting details from crypto currency wallet

It then steals the crypto currency wallet information of Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, AtomicWallet, Guarda, and Coinomi. The malware tries to search for the crypto currency wallet information one by one and if it is found, it stores them as a text file.

Fig 14: Script for stealing Minecraft session

The StealMinecraftSessionFiles method is designed to copy Minecraft session files from a predefined list of paths to a specified destination directory, and stores them in the source.txt file. The method tracks thThey are trying to copy Minecraft session files which contain sensitive information related to user authentication from their original locations to a specified destination directory. It also logs the source path of each file to Source.txt. and they try to ensure directories are cleaned up if copying fails using error handling, while tracking the number of successfully collected files.e number of files successfully copied.

Fig 15: List of Minecraft sessions

The script shown in Fig 15 is used for stealing the minecraft session  information of Intent, Lunar, TLauncher, Feather, Meteor, Impact, Novoline, CheatBreakers, Microsoft Store, Rise, Rise (Intent), Paladium, PolyMC, and Badlion. The malware then tries to search for the crypto currency wallet information one by one and if found, it stores the same as a text file.

Fig 16: Robolox cookies 

The RobloxCookieStealer is used for extracting Roblox cookies from the registry and from various browsers. It collects cookies using the Get-ItemPropertyValue PowerShell command and also processes cookies from a set of browser cookie extraction tasks.

Fig 17: Script containing ransomware module

Fig 17 shows the script having the Ransomware module containing activities for encrypting all the files and leaving the ransomware note at the malware path.

Fig 18: Script for finding the sample executing path

It then extracts the path of the malware executed to list all the files in that directory and proceed for further process. It also checks for the extension of the files in the malware executing path.

Fig 19: Script for collecting all files of the malware executing path

It then retrieves all the files from the directory of the malware file path. 

Fig 20: Script for renaming the file extension

It then encrypts the file process using AES256 algorithm and changes the extension name of the file with the encrypted extension once the content is encrypted.

Fig 21: Script contains encryption method 

The file uses AES encryption method for encrypting the files, Encrypt method configures AES encryption with a 128-bit key and IV (initialization vector). While PERFORM CRYPTOGRAPHY handles the actual encryption using a CryptoStream and returns the encrypted byte array. The encryption uses PaddingMode.Zeros, which pads the plaintext data with zeros to ensure it meets the block size requirements of AES encryption.

Fig 22: Ransom note

Once files from all the folders are encrypted, it drops a .txt in the sample path which contains a ransomware note that all the files are encrypted and also has contact for receiving the key to decrypt.

With the increasing risk of malware attacks, it’s important to take steps to protect your data. Using a reliable security product like K7 Total Security and keeping it updated is crucial to defend against these threats.

IOC

HashDetection Name
09B5F5200E59D3A4623D739661CE9832Password-Stealer ( 005a3e671 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “ Luxy: A Stealer and a Ransomware in one